Splunk Search

Replace a null value after search appending

patilsh
Explorer

Hello All,

I have a search query as below:

    index="alpha_all_aal_event" type=twaReport|search callId=0  userId=a2ebd4aa-f91a-4088-8667-60143707c368|fields *|rename eventTime.$date as eventTime|eval eventTime=(eventTime/1000)|append [search index="alpha_all_careport_event" userId=a2ebd4aa-f91a-4088-8667-60143707c368|fields *|rename eventTime.$date as eventTime|eval eventTime=(eventTime/1000)|streamstats min(eventTime) as limit]|table  eventTime eventData.preLimiterSplEstimate eventData.postLimiterSplEstimate eventData.twaThreshold limit

And the data is shown below :
alt text

The limit column has just a single value min(eventTime) from one of the search queries, and its null everywhere else. I want to replace the null value of limit, with already existing single value in limit. Can someone please help me how to do this, as this is appended search I am not getting the expected results.

0 Karma

DalJeanis
Legend

try this ...

| eventstats min(limit) as limit

Although I'd probably write it more like this...

 userId="a2ebd4aa-f91a-4088-8667-60143707c368"  
(index="alpha_all_aal_event" type=twaReport callId=0  ) OR (index="alpha_all_careport_event")
| fields *
| rename eventTime.$date as eventTime
| eval eventTime=(eventTime/1000)
| eval limit=if(index="alpha_all_careport_event",eventTime,null())
| eventstats min(limit) as limit by userId 
| where index="alpha_all_aal_event"
| table eventTime eventData.preLimiterSplEstimate eventData.postLimiterSplEstimate eventData.twaThreshold limit
0 Karma

patilsh
Explorer

I tried eventstats, still the same

0 Karma

DalJeanis
Legend

@patilsh - okay, try my way then.

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...